| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 1175941 | PROFINET SDK | 6.0 < 6.6 |
Several vulnerabilities have been discovered in the Expat XML parser library (aka libexpat).
This open-source component is widely used in a lot of products worldwide.
A remote, anonymous attacker could use an integer overflow to execute arbitrary program code when loading specially crafted XML files.
Profinet SDK is using XML parser library Expat as reference solution for loading the XML based Profinet network configuration files (IPPNIO or TIC).
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
Availability, integrity, or confidentiality of a device using the PROFINET Controller Stack might be compromised by attacks exploit these vulnerabilities. If specially crafted Profinet network configuration files (IPPNIO or TIC) are loaded during the Profinet startup an integer overflow leads to a buffer overflow which enables the attacker to elevate privileges and obtain access to the device. The attacker may take over the system, steal data or prevent a system or application to run correctly.
The PROFINET Device Stack provides an optional configuration possibility via the above-mentioned files and might be vulnerable when this dedicated use case is supported.
Mitigation
The PROFINET SDK includes an Engineering tool as reference solution to generate Profinet configuration IPPNIO or TIC XML files. This configuration is transferred to a device running the Profinet stack and loaded during startup of the Profinet stack.
When the IPPNIO or TIC files are transferred via an untrusted environment (e.g.: Network or e-Mail, …) an attacker knowing these vulnerabilities mentioned above might manipulate the files in a specific way to gain access to the device.
To mitigate these vulnerabilities the integrity and authenticity of the configuration data it must be ensured by transferring the data only via trusted connections.
Advice's how to ensure trusted connections can be found in the following document:
Measures to protect network-capable devices with Ethernet connection.
Companies which are using their own configuration system instead of the reference solution are not affected as long they don’t utilize the related libexpat library.
We kindly advise you to check if in your specific configuration tool chain, the libexpat library is used or version number is 2.4.6. or higher.
Remediation
PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.